Old Index Old Sourcetype New Field - Search Issues

hkchew · ‎01-21-2019

Hi all,

I have used back the old index & sourcetype but i have re-created new field names for my dashboard.
when using the dashboard, i will see the new fields but the rest of my team will see the old fields.
How can I resolve this? Please advise.
Thank you very much

Eg.
old index = "ABC"
old sourcetype = "DDD"
old fieldname = "DDD_XXX"

old index = "ABC"
old sourcetype = "DDD"
new fieldname = "DDD_YYY"

renjith_nair · ‎01-21-2019

@hkchew , have you set the permissions to the new fields so that others can see ?

Happy Splunking!

dkeck · ‎01-21-2019

HI

could it be that you did not change the permissions of your new field extractions

Check them in Fields » Field extractions » Permissions

hkchew · ‎01-21-2019

Hi dkeck,

permissions have been set to "global".

dkeck · ‎01-22-2019

Ok, please check if the users have a field extraction in their users folder for your sourcetype/source/host

/opt/splunk/etc/users/username/appname/local/props.conf

sometimes this could interfere with other extractions, when then refer to the same name or field.

Also check if you have these new extractions within your users folder, because then they have not been shared with others.

Old Index Old Sourcetype New Field - Search Issues

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM